INSPEC Project

Testing Security Policy Enforcement

2005-2007

Project Overview and Objectives:

In this project, we investigate, design and fully implement a framework where firewalls can be tested. The firewalls are tested using real traffic that is chosen to test the firewall with minimal redundancy. The project involves universal policy representation, policy generation, and independent-packets selection. This work is funded by Cisco, and has resulted in more than one publication (see publications section below).
The project includes the following main modules:

Universal Firewall Policy (ACL) Grammar Representation

We developed a grammar that can accommodate, almost all firewall standards.
The grammar is annotated with contextual interpretation in order to support any ACL structure.

Firewall Policy Compilation

A compiler that can digest actual policies, based on the above mentioned grammar.
The intermediate representation is completely homogeneous,
and any changes to the firewall standard will not affect any further modules (not even this module).

Policy Generator

This component is capable of generating policies that follows the grammar provided.
The generation is highly tunable to attain high degree of coverage.
There is no limit on the policy size, thousands over thousands of syntactically and semantically different rules can be generated

Risk Analyzer of Policy Interaction Patterns

Responsible for analyzing the policy, and identify points of risk.
Some interactions can be complex for the firewall, and careful analysis is automatically performed to assess the complexity of every area in the addressable packet space.

Smart Packet Selection

Packets are selected that will cover every decision path in the firewall filtering module.
By analyzing the policy, we are able to generate the minium number of packets that will exhaust all the possible cases the firewall might face using the current policy.

Firewall Administration Component

Responsible for communicating with the firewall, and upload the policy, query information, etc.

Publications and Technical Reports:

"Automated Pseudo-live Testing of Firewall Configuration Enforcement",
IEEE Journal on Selected Areas in Communications (JSAC), Special Issue on Network Infrastructure Configuration, 2008.
Adel El-Atawy, Taghrid Samak, Khalid Al-Badawi, Bin Zhang, Ehab Al-Shaer
"An Automated Framework for Validating Firewall Policy Enforcement",
The eighth International Workshop on Policies for Distributed Systems and Networks (Policy'07), Bologna, Italy, 2007.
Adel El-Atawy, Taghrid Samak, Zein Wali, Ehab Al-Shaer, Sheng Li, Frank Lin, and Christopher Pham.
"An Automated Framework for Validating Firewall Policy Enforcement",
Technical Report, DePaul University, CTI 07-002, March 2007.
Adel El-Atawy, Taghrid Samak, Zein Wali, Ehab Al-Shaer, and Sheng Li
"An Automated Framework for Validating Firewall Policy Enforcement",
Third Midwest Security Workshop (MSW'07), Purdue University, West Lafayette, IN, USA, April 21st 2007
Adel El-Atawy, Taghrid Samak, Zein Wali, Ehab Al-Shaer, Sheng Li, Frank Lin, and Christopher Pham
"Policy Segmentation for Intelligent Firewall Testing",
First Workshop on Secure Network Protocols (NPSec'05, In conjunction with ICNP 2005), Boston, MA, USA, November 2005.
Adel El-Atawy, Khaled Ibrahim, Hazem Hamed and Ehab Al-Shaer

Team Members

PI: Ehab Al-Shaer (homepage, e-Mail)

Previous Team Members

Khaled Ibrahim
Shridhar Sheth
Zein Wali